Weird versions of Ace of Aces from Accolade

[DjayBee]

During dump comparison I found three different dumps of Ace of Aces. Two different program versions with three different loaders.

It would be quite interesting to find out the story behind these dumps.

The probaly main released version is "Ace of Aces (1987)(Accolade)(US)[req 64K].ATX" from Farb's archive.
It is protected with two sets of duplicate sectors, one sector with a CRC error and heavily EOR-encrypted code. So there is nothing special about this one.

 

Examples:

Decyrption of code:

1C23: A0 7F             LDY #$7F
1C25: B9 80 1C          LDA $1C80,Y
1C28: 59 00 1C          EOR $1C00,Y
1C2B: 99 80 1C          STA $1C80,Y    # This one is missing in the ATR
1C2E: 88                DEY
1C2F: 10 F4             BPL $1C25

More decryption of code:

1CD7: A9 09             LDA #$09
1CD9: 8D 9B 1D          STA $1D9B
1CDC: 20 72 1D          JSR $1D72
1CDF: A0 00             LDY #$00       # This whole loop ...
1CE1: B9 00 80          LDA $8000,Y
1CE4: 59 00 81          EOR $8100,Y
1CE7: 99 00 80          STA $8000,Y
1CEA: B9 00 81          LDA $8100,Y
1CED: 59 00 82          EOR $8200,Y
1CF0: 99 00 81          STA $8100,Y
1CF3: C8                INY
1CF4: D0 EB             BNE $1CE1      # ... is missing in the ATR
1CF6: A5 14             LDA RTCLOK+2
1CF8: C5 14             CMP RTCLOK+2
1CFA: F0 FC             BEQ $1CF8

The area $8000-$82FF contains the protection check.

.

Atarimania and Fandal have the same program version but with no protection at all in the image "Ace of Aces.ATR".
It uses the same loader as the ATX. The weird thing about this loader is the fact that it seems not to be cracked BUT to be assembled specifically to not have the protection checked.
It omits single instructions or whole blocks of code in several palces. They are not NOPed out but just not there. No cracker would have made such an effort to remove a copy protection.
But why would a developer create a specifically unprotected copy of its own software?

 

The same code as above as an example:

NON-decryption of code:

1C23: A0 7F             LDY #$7F
1C25: B9 80 1C          LDA $1C80,Y
1C28: 59 00 1C          EOR $1C00,Y
here is an STA in the ATX
1C2B: 88                DEY
1C2C: 10 F7             BPL $1C25
1C2E: C8                INY

More NON-decryption of code:

1CD1: A9 09             LDA #$09
1CD3: 8D 7E 1D          STA $1D7E
1CD6: 20 55 1D          JSR $1D55
here is an EOR-loop in the ATX
1CD9: A5 14             LDA RTCLOK+2
1CDB: C5 14             CMP RTCLOK+2
1CDD: F0 FC             BEQ $1CDB

The area $8000-$82FF is empty.

.

The third dump is "Ace of Aces (1987)(Accolade)(US)[a1][!][req 64K].ATX" which again is part of Farb's archive.
This one has different game code and a loader which checks for the same protection as the first ATX but fails completely in its task due to ludicrous programming errors.

 

Programming errors:

Missing "#" leading to sector reads to non-existing sectors 721-767:

1BEF: A9 BE             LDA #$BE
1BF1: A0 02             LDY #$02
1BF3: 20 45 1C          JSR $1C45	# read sectors $2be-$2ff 702-767
1BF6: AD 0A 03          LDA DAUX1
1BF9: 18                CLC
1BFA: 69 01             ADC #$01
1BFC: C5 CE             CMP $CE		# =$00     => (should be #$CE)
1BFE: D0 F1             BNE $1BF1	# ... until sector $2ff (instead of $2cd)

"unexpected" read error of sector with bad CRC which should be expected:

1C66: 20 78 1C          JSR $1C78	# =JSR SIOV
1C69: 30 01             BMI $1C6C	# sector bad => crash     => ($2ce is intentionally bad)
1C6B: 60                RTS		# go ahead if good
1C6C: 00                BRK		# bad result of sector $2ce branches to BRK-interrupt, ...
1C6D: A9 00             LDA #$00	# ... runs into this code ($1c6e is BRK) ...
1C6F: A0 04             LDY #$04	# ... $1c70 is NOP $8D ...
1C71: 8D 04 03          STA DBUFLO	# ... $1c72 is NOP CASINI+1 ...
1C74: 8C 05 03          STY DBUFHI	# ... and returns "by accident" to the calling code
1C77: 60                RTS		# ... with this RTS

Verify contents of protection sectors.

1C7F: A2 00             LDX #$00
1C81: BD 00 21          LDA $2100,X	# contents of sectors $2cf 1of2 and $2cd 2of2
1C84: DD 00 20          CMP $2000,X	# contents of sectors $2cf 2of2 and $2ce     => (instead of $2cd 1of2)
1C87: D0 05             BNE $1C8E	# exit loop if bytes differ     => (succeeds always at sector $2ce)
1C89: E8                INX
1C8A: D0 F5             BNE $1C81
1C8C: F0 DE             BEQ $1C6C	# => crash if both buffers are identical
1C8E: A2 00             LDX #$00
1C90: BD 80 20          LDA $2080,X	# contents of sector $2ce
1C93: 49 FF             EOR #$FF
1C95: DD 01 31          CMP $3101,X	#     => nothing done with the result of the CMP!
1C98: E8                INX
1C99: E0 26             CPX #$26	# only bytes $00-$25 of sector
1C9B: D0 F3             BNE $1C90
1C9D: A2 00             LDX #$00
1C9F: BD 00 21          LDA $2100,X	# contents sectors $2cf 1of2 and $2cd 2of2
1CA2: 5D 00 A1          EOR $A100,X	#     => (which are the ones read by a standard copy anyway)
1CA5: 9D 00 08          STA $0800,X
1CA8: E8                INX
1CA9: D0 F4             BNE $1C9F
1CAB: 60                RTS

.

Attached are all these dumps (including cracks of both ATXs).

Ace of Aces (1987)(Accolade)(US).zip

Edited January 11, 2017 by DjayBee

[Goochman]

Maybe the one with no checks was leaked from Accolade before CP was put in?

[bbking67]

Well there was the XE Game System cartridge... disk protection wouldn't have made much sense. Is it possioble that one of the images is based on that release?

 

Do we know who did the conversion? Chuck Peavey?

[DjayBee]

Maybe the one with no checks was leaked from Accolade before CP was put in?

 

Leaked maybe but not before CP was put in because a LOT of its code is already there.

 

The first two examples above show the same code with two exceptions:

 

• In the first case a single assembler command "STA $1C80,Y" is missing. It is the one which writes the decrypted byte back to RAM because the ATR has the code unencrypted on disk. BUT the "LDA $1C80,Y" and "EOR $1C00,Y" are still there.

• In the second case a complete EOR-loop is missing.

 

It looks like somebody had the source of the loader, commented out a few lines which where essential for protection and assembled it.

[Farb]

Thanks for the analysis, DjayBee. I've added your comments to the preservation database's notes for those dumps.